Security-wg: [Question] How to assign an ID to security issues?

Created on 4 Mar 2018  路  4Comments  路  Source: nodejs/security-wg

Hi! Sorry, I'm a little confused with the whole process of making a PR with a fixed issue for a third-party module which was fixed without the involvement of the Node.js triage team.

In particular, I'm unsure how to populate the JSON file. For example, how do I select an id field that doesn't conflict with those of other researchers; and what should go in a slug (just a unique, descriptive string?)

Sorry for the questions, perhaps I missed something in the READMEs.

question

All 4 comments

Hi @joker314, great to see you jump in! :)

  • The IDs are indeed just incremental numbers of the filenames for the vuln. It's not ideal but you can review open PRs to make sure you don't have a conflict.
  • the slug is descriptive machine-name text (i.e: no spaces or special chars).

Did you visit the actual document related to this on the processes/ dir?
Let us know if there are other things that need better clarifications.

Hi @lirantal,

Thank you for your response! I did take a look at the processes directory, but only saw one pertinent piece of information about vulnerabilities that were fixed external to the triage team-- though it's quite possible I missed something.

I have another question about the JSON... are the created_at and updated_at fields about when the module was created, when the fix was created, when the report to the vendor came in, or when the JSON file was being constructed? 馃檪

The time should be set for when the vulnerability is/was disclosed.
With most of the work coming through Hacker1 we disclose the vulnerability and PR the JSON file to the repo's db on same time so they are mostly synced in that way.

Hmm okay, hopefully I did this right. I've opened #142, and if I did it wrong, discussion can continue there. For that reason, I'm closing this issue. :tada:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

vdeturckheim picture vdeturckheim  路  8Comments

mhdawson picture mhdawson  路  8Comments

mhdawson picture mhdawson  路  5Comments

MarcinHoppe picture MarcinHoppe  路  7Comments

victor1342 picture victor1342  路  4Comments